b'CONTROLS OVER ACCESS TO EMPLOYEE\n     EMAILS BY SBA MANAG RS\n\n\n\n\n                  Report No. 08-02 \n\n            Date Issued: October 19, 2007 \n\n\n\n\n\n                             by the\n            Office of Inspector General\n       U.    Small Business Administration\n\x0c       U.S. Small Business Administration\n       Office of Inspector General\n\n\n To    Christine Liu                                               Date:   October 19,2007\n             Infonnation Officer\n\nFrom   Debra S. Ritt\n       Assistant Inspector                  for Auditing \n\n        lSI original \n\n       Report on Controls over                  to Employee \n   by SBA Managers\n\n             report         the potential risks related to administrative access to\n        employee emails and infonnation           applications by Small\n        Administration (SBA) managers: and recommends actions to strengthen controls\n        over        access.\n\n        On August 29, 2007,     Inspector General notified you that        Office of Disaster\n                   (ODA) had                  emails           from an employee who was a\n        confidential source to                ofInspector General (OIG) and a\n        committee, The employee\'s emails were                 following a Congressional\n                    which the employee, who wished to              anonymous, had submitted\n                                ",,,,,,,v>,u., record.\n\n\n        We would like to work with you to develop appropriate safeguards to prevent\n                        of OIG emails and infonnation system applications.         IG     of\n        1978 provides that       identity of Federal employees who raise complaints to the\n        OIG about their employing                           confidential. The    further\n        prohibits acts    retaliation against employees who submit complaints to the\n        Management\'s ability to               confidential employee-OIG\n        troubling             about whether agency employees can confidently and\n        bring confidential               to the OIG\'s attention, which undermines\n        statutory protections,\n\n        We      with you in your dual          0 f Chief Infonnation Officer and\n        Privacy Officer to identifY your procedures for                access and to\n                   whether your office had authorized the email retrievals.\n        Investigations Division subsequently conducted interviews      ODA\n        which highlighted the ability    ODA management to            employee emails\n        without            OCIO any justification for such reviews.         was no fonnal\n\x0c                            OCIO to ",pr"\'r..rt"l and    emails to ODA\n                                            are summarized below.\n\nRESULTS\n\n      90472, Automated Information Security, (AlS) Program,\nInfOlmation Officer (CIO) is                for the development and\n    the               program.       CIO is also the        Privacy Officer)        as\nsuch, is responsible      controlling access to        and system applications. In a\n            11, 2005, Office Management and                (OMB)                     (M\xc2\xad\n05-08),            were           to implement actions to\ninformation. The memorandum stated, "As required by\n         Information Security Management           (FISMA),       other\npolicies,        agency must                                    to protect\ninformation from unauthorized                  disclosure or sharing, and to T\'\\rr.tp(\'\nassociated information systems from unauthorized access, modification, dlsruption\nor destruction."        OMB memorandum                   that "[w]hen compliance\n Issues are                     are obligated to take                   to remedy\nthem."\n\n       on additional interviews and       information obtained\nwe determined that the Agency lacked clear written guidance\n                    Standard                       (SOP) 90 49, Appropriate Use of\nSEA\'s Automated Information                       that emails     subject to\nexamination in connection with authorized official Agency reviews (e.g.) OIG\ninvestigations,        and inspections, administrative         and\'             "\n           there is no           on when an administrative inquiry and rev lew\ncmails would      considered "authorized," who would be               to       the\n        and when centralized approval would be\n\n                  osed that          management\n                 approval from or notifying the CIO.\nand           were unaware of the circumstances or actions relating to ODA\'s\nreview of the             that, as the         Chief         Office, aDA should\nhave obtained her authorization.        CIa also advised that her office had not\n           written          on how                should be\n\nIn the absence of controls, such as a            authorization \n\nguidance       conducting administrative review of employee \n\nassurance that appropriate safeguards are consistently employed. \n\nthe ability to monitor who is                      emails, the frequency such \n\nreviews, or the purposes of such reviews. Although           of employee \n\nmay be            m       to detennine whether an employee        violated \n\n\n\n                                            2\n\x0c                                 or for infonnation         security purposes,\n                       creates an environment where employee             be subject\nto   LUHkl.",..LHJL                         illegitimate\n\nRECOMMENDATIONS\n\n                                    potential risks from                            access to emails\n\n\n       1. \t                          to individuals having                        administrator\n                              for email retrievals must be  ;;!It\'\\t\'\\,1\'("\\,\\1    centrally by\n\n\n       2,\n\n\n\n\nAG NCY COMMENTS AND OFFICE OF \'NSPECTOR                                                  NERAL\n RESPONSE\n On               14,2007, we provided\n On October 1 2007,             provided\n          in Appendix L           agreed with our\n stated that it would prepare an                  directive    October 19, 2007, that\n           all        retrieval                approved centrally by the CIO and\n                      Counsel (OGe).            and OGe        also     jointly to\n                    and authorization        required to access Agency user e-mails.\n                \'s comments were                       audit recommendations.\n\n We                                     cooperation of ODA          oe10 representatives\n                             you       any questions _\'-JL","",~L  this report,\n                      lEXje.tnp leffBrindle,  \'\'\'\'\'\'\'\'\'T\'\'\'\'\'\'    205\xc2\xad\n\n\n\n\n                                              3\n\n\x0c~                    \t     U.S. SMAll BUSINESS ADMINISTlUTJON                       Appendix 1\n~\n                                    WASf{INGTON,   D.C. 20416\n~/!KJ\noV/STt-t-\n         ,,\'\n\n\n\n\n Date: \t       October 10,2007\n\n To: \t         Debra S. Ritt \n\n               Assistant Inspector General for Auditing \n\n\n From; \t       Christine H. Liu            [Exemption 6 J \n\n               Chief Information Officer \n\n\n\n Subject: \t    Draft Report on Controls over Access to Employee E-mails by SBA Managers \xc2\xad\n               Project No. 07-31\n\n\n In reviewing OIG\'s draft report on "Controls over Access to employee e-mails by SBA\n Managers", our office has begun working with the Office of the General Counsel (OGe) on the\n two OIG recommendations resulting from this report -- for the Agency to put in place policy and\n measures to mitigate potential risks from unauthorized access to individual user e-mail boxes.\n We have asked ODA to comment further on the actual audit findings.\n\n\n  A. Recommendation 1: Immediately communicate to individuals having system administrator\n  rights that requests for e-mail retrievals must be approved centrally by bisJher office.\n\n\n  SBA Response: The ChiefInformatioD Officer (CIO). in conjunction with OGC) will prepare\n  an executive Agency-wide directive for issuance by SBA Deputy or Chief of Staff to require that\n  aU e-mail retrieval requests must be submitted to SBA\'s Chief Information Security Officer\n  (elSa) for approval by the CIO and OGC. This directive will go out by October 19, 2007.\n\n\n  B. Recommendation 2: Revise SOP 9049 to establish appropriate protocols for conducting\n  administrative inquiries and reviews of employee e-mails, including identifying the criteria for\n  determining whether an e~IDail review would be considered \xc2\xabauthorized", and identifying the\n  appropriate authorization levels needed before an administrative review is conducted. The SOP\n  should also define the respective roles oftbe Chief Privacy Officer (CPO), CIO) and Director of\n  Infonnation Security in authorizing access to Agency e-mails and information system\n  applications .\n\x0c        2\n\n\n\n\n                 OGe jointly                                              determining anthorized e-mail\n                the appropriate                        lJ"""-"""""" before an                      reVIew\n\n\n\n\n(2) OCIO will work on incorporating   the SOP 90          clear\nof the CISO, CPO, the CIO and the OGe in autlllor:1ZlIJlg\n\n\nThis                          authorizing access to e-mail,    not 1..U.J..,.... u.,........\nWe                  this policy to be drafted             by October\n\n\ncc: \t       OGe -          Borchert, General Counsel\n            OIG~        Brindle, Director\n            OCIO     David McCauley,\n                              McClam,\n\x0c                                          U.S. SMALL BUSINESS ADMINISTRATION \n\n                                                        WASHINGTON,      D.C. 20416 \n\n\n\n\n\nTo:       Debra Ritt\n          Assistant Inspector General                         Auditing\n\nFrom:      Herbert L, Mitchell\n           r\\.;>;::.v"\':, .......   Admll::ustrat~JI   for\n\n           Draft                Project No. 07-31\n\n\n                                                                with both the recommendations made to\n                                                             (CIO), and her responses. We believe that the\n                                                                                         of employees\'\n\n\n                the Processing and disbursement Center has indicated that, while\n           to insure that loan applicants\' privacy rights were protected, they identified\nemails from employees \\Vithout obtaining the authorization             ClO.\nno violations were discovered        the Agency had no policies and               in place.\nThis was not       in retaliation    any               the employees may have\ninvolved with                        not acted on any of the infonnation,\n\nUntil the Agency develops and       policies and            in       to     handJing\n    access to employee emails we have instructed all managers to submit such         to\nODA Headquarters      review and a decision by the cra.\n\n\n                                     6]\n\n\n\n\n        L. Mitchell\n\x0c                                           REPORT DISTRIBUTION \n\n\n\n\nRecipient                                                                                                No. of Copies\n\nOffice of the Chief Financial Officer \n\nAttention: Jeffrey Brown ....... .... ........ ................................................ .......... .. ... .. 1 \n\n\nGeneral Counsel .. .. ... ..... ...... ........... ..... .. ... ........... ........................ ..... ............... .. ... 3 \n\n\nU.S. Government Accountability Office .... ....... ..... ............................... .. ........ .. .. 2 \n\n\n\n\n\n                                                                   4\n\n\x0c'